The Cisco IOS® Software Network Address Translation functionality
contains three denial of service (DoS) vulnerabilities. The first vulnerability
is in the translation of Session Initiation Protocol (SIP) packets, the second
vulnerability in the translation of H.323 packets and the third vulnerability
is in the translation of H.225.0 call signaling for H.323 packets.

Cisco has released software updates that address these vulnerabilities.

Note: The September 22, 2010, Cisco IOS Software
Security Advisory bundled publication includes six Cisco Security Advisories.
Five of the advisories address vulnerabilities in Cisco IOS Software, and one
advisory addresses vulnerabilities in Cisco Unified Communications Manager.
Each advisory lists the releases that correct the vulnerability or
vulnerabilities detailed in the advisory. The table at the following URL lists
releases that correct all Cisco IOS Software vulnerabilities that have been
published on September 22, 2010, or earlier:

Alternatively, administrators can use the show running-config |
include ip nat command to verify if NAT has been enabled on the router
interfaces.

For NAT to be enabled in a router either the ip nat
inside and ip nat outside commands must be present in
different interfaces or, in the case of
NAT
Virtual Interface, if the ip nat enable interface
command is present.

In order to determine the software that runs on a Cisco IOS product,
log in to the device and issue the show version command to
display the system banner. Cisco IOS software identifies itself as
"Internetwork Operating System Software" or simply "IOS." On the next line of
output, the image name displays between parentheses, followed by "Version" and
the Cisco IOS release name. Other Cisco devices do not have the show version
command or give different output.

The following example shows output from a device that runs
an IOS image:

The three vulnerabilities are triggered by transit traffic that needs
to be processed by the NAT feature. Each vulnerability is independent of each
other.

NAT for SIP DoS Vulnerability

SIP is a popular signaling protocol that is used to manage voice and
video calls across IP networks such as the Internet. SIP is responsible for
handling all aspects of call setup and termination. Voice and video are the
most popular types of sessions that SIP handles, but the protocol has the
flexibility to accommodate other applications that require call setup and
termination.

NAT for SIP translates packets using UDP (port 5060) or TCP
(port 5060) as the underlying transport protocol. The NAT for SIP DoS
vulnerability can be exploited only with the use of UDP port 5060
packets.

This vulnerability is documented in Cisco bug ID
CSCtf17624
(registered customers only)
and has been assigned
Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2831.

NAT for H.323 DoS Vulnerability

H.323 is the International Telecommunication Union (ITU) standard for
real-time multimedia communications and conferencing over packet-based (IP)
networks.

NAT for H.323 translates packets on TCP port 1720. There is
a DoS vulnerability in the NAT procession of H.323 packets. The vulnerability
does not require the completion of a TCP three-way handshake.

This vulnerability is documented in Cisco bug ID
CSCtf91428
(registered customers only)
and has been assigned
Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-2832.

NAT for H.225.0 DoS vulnerability

H.323 is the ITU standard for real-time multimedia communications and
conferencing over packet-based (IP) networks. A subset of the H.323 standard is
H.225.0, a standard used for call signaling protocols and media stream
packetization over IP networks.

NAT for H.225.0 translates packets on TCP port 1720. There
is a DoS vulnerability in the NAT translation of H.225.0 call signaling for
H.323 packets.

This vulnerability is documented in Cisco bug ID
CSCtd86472
(registered customers only)
and has been assigned
Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-2833.

Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys
vulnerability severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can
then compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.

Successful exploitation of any of the vulnerabilities described in this
document may cause the affected device to reload. Repeated exploitation will
result in an extended denial of service (DoS) condition.

When considering software upgrades, also consult
http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a complete upgrade
solution.

In all cases, customers should exercise caution to be
certain the devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported properly by
the new release. If the information is not clear, contact the Cisco Technical
Assistance Center (TAC) or your contracted maintenance provider for assistance.

Each row of the following Cisco IOS Software table
corresponds to a Cisco IOS Software train. If a particular train is vulnerable,
the earliest releases that contain the fix are listed in the First Fixed
Release For This Advisory column. The First Fixed Release for All Advisories in
the September 2010 Bundle Publication column lists the earliest possible
releases that correct all the published vulnerabilities in the Cisco IOS
Software Security Advisory bundled publication. Cisco recommends upgrading to
the latest available release, where possible.

Major Release

Availability of Repaired Releases

Affected 12.0-Based Releases

First Fixed Release for This
Advisory

First Fixed Release for All Advisories in the September
2010 Bundle Publication

There are no affected 12.0 based releases

Affected 12.1-Based Releases

First Fixed Release for This
Advisory

First Fixed Release for All Advisories in the September
2010 Bundle Publication

Cisco IOS XR Software Table

The mitigations for the NAT vulnerabilities disable the respective
Application Layer Gateway NAT processing. That is, packets will continue to be
translated at the network and transport layers, but the embedded IP addresses
will not be translated.

NAT for Session Initiation Protocol DoS Vulnerability

Mitigation for this vulnerability consists of disabling NAT for SIP
over the UDP transport by using the no ip nat service sip udp port
5060 global configuration command.

NAT for H.323 DoS Vulnerability

Mitigation for this vulnerability consists of disabling NAT for H.323
and H.225.0 using the no ip nat service h225 global
configuration command.

NAT for H.225.0 DoS vulnerability

Mitigation for this vulnerability consists of disabling NAT for H.323
and H.225.0 using the no ip nat service h225 global
configuration command.

Cisco has released software updates that address these vulnerabilities. Prior to deploying software, customers should consult their
maintenance provider or check the software for feature set compatibility and
known issues specific to their environment.

Customers with contracts should obtain software through their regular update channels. For most customers, software patches and bug fixes should be obtained through the Software Center on Cisco's worldwide website at
http://www.cisco.com.

Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for guidance and assistance with the appropriate course of
action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on
specific customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected products
and releases, customers should consult with their service provider or support
organization to ensure any applied workaround or fix is the most appropriate
for use in the intended network before it is deployed.

Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain software patches and bug fixes by contacting the Cisco Technical Assistance Center (TAC). TAC
contacts are as follows.

+1 800 553 2447 (toll free from within North America)

+1 408 526 7209 (toll call from anywhere in the world)

e-mail: tac@cisco.com

Customers should have the product serial number available and be prepared to provide the URL of this notice as evidence of entitlement to a software patch or bug fix. Customers without service contracts should request a software patch or bug fix through the TAC.

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

In addition to worldwide web posting, a text version of
this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

cust-security-announce@cisco.com

first-bulletins@lists.first.org

bugtraq@securityfocus.com

vulnwatch@vulnwatch.org

cisco@spot.colorado.edu

cisco-nsp@puck.nether.net

full-disclosure@lists.grok.org.uk

comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.